Specify NTLM authentication domains


Use the Specify NTLM authentication domains group policy to specify the list of domains that use NTLM authentication instead of Kerberos authentication.

This group policy enables you to authenticate users behind a firewall when the Kerberos ports are blocked, but a trust relationship exists between domains inside and outside the firewall.

For example, use this group policy to specify that the Active Directory domains AJAX.ORG and FIREFLY.COM, which are outside of the firewall with a one-way trust to the forest inside the firewall, use NTLM authentication.

To set this group policy, select Computer Configuration > Centrify Settings > DirectControl Settings > Pam Settings > Specify NTLM authentication domains.

Provide the following information for the group policy:

  • One or more fully-qualified Active Directory domain names.

  • The Active Directory domain names that are mapped to NTLM domain names.

    These can be mapped automatically or manually:

    • automatically, if the firewall does not prevent the mapping from being discovered.
    • manually, if the firewall prevents the mapping from automatically being discovered, by modifying the contents of the /etc/centrifydc/domains.conf file.

      To manually configure the mapping use either the group policy, Specify AD to NTLM domain mappings, or the configuration parameter, adclient.ntlm.domains.

Alternative to using this group policy, Specify NTLM authentication domains, you can use the configuration parameter, pam.ntlm.auth.domains.